Land of little kings
“It will never happen,” says Matthias Bergt, smiling wryly. “You have 16 kings in Germany and they will always want to rule their kingdom.”
The Berlin-based von Boetticher partner is not the only one sceptical about the possibility of Germany ever having a single data protection authority. Marit Hansen, the data protection commissioner for the state of Schleswig-Holstein, is doubtful it will happen “in our lifetime”.
Unlike most other countries in the world, which delegate data protection law enforcement to a single body, in Germany the responsibility falls to a combination of 17 state authorities and a federal enforcer – bar Bavaria, where separate bodies look after the public and private sectors, state enforcers deal with both sectors, which are governed by different laws. While the public sector is subject to law that varies from state to state, federal law governs the private sector. The federal enforcer looks after current as well as former federal organisations that have been privatised, as well as some sectors such as telecommunications and the postal service.
The rest of Europe – and indeed the world – has long followed Germany’s lead when it comes to data protection. It was a German state, Hesse, that enacted the world’s first data protection legislation in 1970, with other states quickly following suit and a federal act coming into force in 1978. It was a German politician, Jan Philipp Albrecht, who proposed the GDPR, and the EU regulation bears more than a passing resemblance to the German law it replaced. Naturally, Germany was the first EU member state to update its legislation to incorporate the new EU rules.
“I sometimes have the impression that colleagues [abroad] would like to hear the German opinion on data protection because we have had the same principles more or less since 1995 . . . we also have many statements from supervisory authorities to study,” says Philipp Schröder-Ringe, a partner at HÄRTING Rechtsanwälte in Berlin.
The extent to which other countries look to Germany was laid bare to Schröder-Ringe during his studies at Stockholm university – 90% of the books on data protection in the university’s library were German, he says.
As the EU tries to harmonise data protection law and its enforcement across the bloc, Germany offers a case study. Like in the EU under GDPR, in Germany separate state bodies have been tasked with enforcing the same law in a (theoretically) uniform way.
The results are mixed.
Starting with the law itself, the GDPR’s opening clauses – which allow EU member states to modify the provisions of the binding articles of the regulation – have been a cause for division among the German states just as they have among EU member states. Within Germany, one example is the requirement to hire a data protection officer. While some states include a strict requirement for organisations with 10 members or more to have a data protection officer, others, such as Bavaria, have included exceptions to that rule. There are also different requirements for when organisations need to carry out privacy impact assessments.
For Michael Schmidl, a partner at Baker McKenzie in Munich, the opening clauses have been used by legislators to try to preserve the status quo as much as possible. “I spoke with public officials who directly confirmed to me that their slogan was ‘maximum preservation’,” he says.
Differing interpretations of the law among Germany’s enforcers also highlights the difficulties in harmonising multiple bodies.
In 2013, Der Spiegel magazine reported that pharmaceutical data centres were selling prescription records to medical research companies, which in turn turned the data into studies that they sold to drugmakers. According to the magazine, the data being sold by one data centre had not been anonymised as it should, but rather contained a pseudonym in which the name of a patient was replaced with a lifelong code.
Thilo Weichert, the then-data protection commissioner of Schleswig-Holstein, called the practice a “long-term scandal”; he held that replacing names with numbers did not constitute anonymisation. “It is obvious that this data was used by the pharma industry to send reps to doctors to sell specific drugs. That is the aim of this data processing, which the anonymous data is supposed to prevent,” he said at the time in an interview with Deutsche Welle.
But Bavaria’s data protection commissioner, Thomas Kranig, had a different opinion. He defended the data handling, arguing that the records had been encrypted in such a way that the behaviour of the doctor or the patient couldn’t be tracked.
It is not the only instance of disagreement among Germany’s privacy watchdogs.
In March, the Datenschutzkonferenz (DSK), a German body similar to the European Data Protection Board (EDPB) that brings the state authorities together, issued a paper contradicting an earlier opinion published by the Hesse enforcer. The Hesse authority had said merchants have a legitimate interest in passing email addresses on to delivery companies so that they can inform customers of the status of their deliveries; but the DSK said merchants would have to obtain extra consent to do so.
And at the beginning of 2018, the DSK issued guidance on video surveillance that contradicted a respected data protection foundation’s advice on the matter. At issue was the extent to which people need to be informed when they are being filmed in public: the foundation, known as the Data Protection and Data Security Society, said a notice telling people that they were being filmed and the name of the data controller would suffice, whereas the DSK said more details of the data processing would need to be given. Lawyers are still seeking clarification on the matter.
There is also anecdotal evidence of differences between enforcers’ approaches, and lawyers speak of a north–south divide.
“It is sometimes said that the data protection authorities from the southern part of Germany are supposed to be a bit more business-friendly than [those] in the northern part of Germany,” says Undine von Diemar, partner at Jones Day in Munich.
Others are less cautious in their assessments: “It gets less constructive the more north you go – especially if you are an American company,” says one lawyer, who recalls a “tight fight” with the Berlin authority over a new software service contrasting starkly with the “constructive dialogue” they had with the Bavarian enforcer over the same topic.
It seems no two states illustrate this perceived north–south divide more than Schleswig-Holstein and Bavaria.
Connecting Denmark to the rest of Germany, the state of Schleswig-Holstein has long loomed large on the data protection scene. GDPR architect Jan Philipp Albrecht represents the state in the European Parliament, and its enforcer was involved in a high-profile battle with Facebook and the local operator of a Facebook fan page that reached the European Court of Justice (the court found in favour of the watchdog, ruling that both parties shared responsibility for protecting data).
Observers say the authority is unafraid to voice its opinion: “very loud” is how one describes it, with another saying the authority, along with Hamburg’s enforcer (also seen as influential) as “liking publicity” and after “a big fish”.
Yet another lawyer says they would not like to advise clients subject to the Schleswig-Holstein commissioner’s jurisdiction because “you know they always take the approach that’s strongest.”
Some say Schleswig-Holstein’s assertive approach is the legacy of Thilo Weichert, who served as the state’s data protection commissioner between 2004 and 2015. He is a long-standing critic of Facebook and one of the German data protection scene’s most vocal commentators. To this day, employees at the authority are banned from using both Facebook and Twitter because it is not satisfied that either handles data properly.
But even among lawyers who call some of Weichert’s positions “extreme”, there is a grudging respect for him. “He published quite a bit and was just one of the pioneers of data protection law,” says Daniel Rücker, a partner at Noerr in Munich. “He was often taking extreme positions, but [they were] very high quality and well argued.”
Asked whether the characterisation of Schleswig-Holstein as a strict enforcer is fair, the current commissioner, Marit Hansen, says: “We try to interpret the law how it is. I don’t think we are overly strict. We encourage . . . good solutions.” She points to the authority’s first-of-its-kind data protection certification scheme as evidence that it is as concerned with constructive solutions than coming down hard on companies.
Hansen does, however, admit that the enforcer’s ban on Facebook and Twitter displays a strictness “not shared by many”.
“We don’t think social media is bad, but we want them to change according to the law,” she says.
Bavaria’s watchdog is also seen as one of Germany’s most influential – and comes in for much praise by lawyers: “Probably one of the best in Europe,” is how Stefan Schicker, a partner at SKW Schwarz in Munich, describes it. For Rücker, the Bavarian body is strict but reasonable. “I have a very high opinion of the authority; they always see the big picture and try to balance things in a reasonable way,” he says.
Baker McKenzie partner Schmidl describes the Bavarian regulator as “very pragmatic and close to the economy”. He also praises the authority for answering questions promptly, something he says cannot always be said of Germany’s other data protection authorities.
Bavarian data protection commissioner Kranig is commended for the proactive role his agency takes too. After the European Court of Justice invalidated the safe harbour agreement, Kranig’s authority sent out questionnaires asking organisations how they dealt with data transfers between the US and the EU.
In another instance, it sent letters to thousands of companies telling them to activate a type of email encryption required by law. For von Boetticher partner Bergt, this was a welcome intervention.
“[The authority] requested that companies activate StartTLS. I think that’s very good because I often have this problem. StartTLS is an [internet standard] from 1999 and still there are many companies that haven’t activated this, which I really don’t understand because that’s two minutes’ work and it gives really good protection,” says Bergt.
He adds that the authority uses the media shrewdly, issuing press releases when it publishes an opinion or decision. “I think it’s very important so the public gets to know the work the authority does . . . I think it’s not so important to fine everybody, but to make these fines public,” he says.
According to Jones Day partner von Diemar, the Ansbach-headquartered regulator takes its advisory role seriously, especially for small- and mid-sized businesses: “I can definitely say . . . that the Bavarian data protection authority really aims to establish a good working relationship with companies and their legal advisers, with the aim of promoting data protection.”
For staff at the watchdog itself, the oft-mentioned north–south divide is more hearsay than anything else. “I’ve heard people make that statement, but I don’t know if that’s empirically verifiable,” says Mirka Möldner, who heads the department in charge of the insurance companies and health sectors, as well as freelancers and non-profit organisations at the regulator.
It perhaps shouldn’t come as a surprise that Bavaria’s regulator comes in for praise. After all, it can afford to carry out its duties. As Morrison & Foerster’s Hanno Timner puts it: “Bavaria is one of the wealthier German states and has enough money to employ people, which is not always the case in other states”.
But even an authority as well-funded as Bavaria’s has its work cut out. Timner estimates it has around 15 members of staff dedicated to investigations – compared to over 2 million companies in the state.
A fine of more than €1 million for the German railway operator Deutsche Bahn in 2009 is among the highest to have been levied for data protection law violations in Europe. Even so, Timner says enforcement action has not historically been an issue in Germany. He says that of the 50 or so fines levied by the Bavarian authority in the past year, around 30 were worth less than €1,000.
Berlin’s regulator was even more hands-off, handing out just six fines last year, according to Bergt. “I tell my clients to just fly under the radar, because [the authority] does not have the resources to actively find infringers. So you just need to make sure there won’t be any complaints and if you manage this, you’re safe.”
But this state of affairs is likely to change. The GDPR’s much-publicised penalties will make companies pay more attention of data protection authorities.
Germany’s regulators are taking their new responsibilities seriously. Commissioners now meet around seven times a year under the auspices of the DSK, rather than in a biannual conference that was previously the norm. Data protection heads now also regularly communicate informally via email or phone to harmonise decision-making – a practice Schleswig-Holstein commissioner Hansen describes as “good but stressful”.
And for all the talk of divergences in opinions and of a north–south divide, Germany’s data protection enforcers are increasingly a paragon of cooperation. Lawyers talk of an enforcement landscape that is more and more aligned. “I think over the last half-year or year . . . [the state regulators] are really trying to align what they say much more than they did before,” Timner says.
This latest push for greater harmonisation is the just the latest chapter in a history of increasing cooperation, first through the Düsseldorfer Kreis, a grouping of private sector privacy commissioners that merged with the DSK once the enforcers themselves started merging the public and private sector roles.
The DSK has many more sector-specific working groups than its EU equivalent, the EDPB, which looks to harmonise the interpretation of the GDPR across the bloc. DSK’s papers on the articles of the GDPR are praised by SKW Schwarz’s Schicker as “short and concise – they are very much focused on how to implement the law in practice,” he says.
But for Greenberg Traurig Berlin counsel Carsten Kociok, the DSK’s papers are too brief; he prefers the resources provided by the UK’s Information Commissioner’s Office, which can run to 40 pages or more – providing a “real compendium with examples and getting into the details”.
But alignment between the enforcers is still a work in progress, lawyers say. “I think the German authorities now, more than ever, need to come to joint positions,” says Rücker. “At the moment, in my impression, this is developing more and more, and can be seen in several joint opinions recently published by the German Datenschutzkonferenz.”This brevity could be a symptom of the DSK’s consensus-driven approach – and an example of its limits. For Bergt, the DSK seems to be “afraid of saying anything” in its papers. “The reason why their papers are worse than they should be is that [the enforcers] have to agree on every word and it seems to be really, really hard for them.”
A rotating position on the EDPB, where state commissioners will take turns to represent Germany alongside its federal enforcer, will make greater harmonisation ever more crucial. Other EU member states are represented by just the one enforcer.
For Friederike Gräfin von Brühl, a partner at K&L Gates in Berlin, the difficulties Germany has had in enforcing harmonisation should serve as a warning to EU, as it tries to do the same. “Already within Germany the enforcement positions are quite different. They are trying to harmonise enforcement . . . but there are still discrepancies and between EU member states, such discrepancies will likely be even stronger,” she says.
Schicker says the main challenge in aligning the views of 16 data protection authorities in Germany is politics. “I think you have to understand that there are 16 little kingdoms, which have developed their own traditions and specialties over the years. The challenge now is to harmonise these independently developed opinions – it will be interesting to see whether that can happen.”
Copyright © Law Business ResearchCompany Number: 03281866 VAT: GB 160 7529 10